Skip to main content

Overview

Google Enterprise reCAPTCHA is a premium version of reCAPTCHA that provides advanced bot protection, enhanced analytics, and enterprise-grade support. It’s designed for high-traffic applications that require robust security and detailed insights.
To use Enterprise reCAPTCHA, you need to sign up for Google Cloud and create an Enterprise reCAPTCHA key.

Key Differences from Standard reCAPTCHA

Enterprise reCAPTCHA uses more sophisticated machine learning models to detect bots and provides better protection against automated attacks.
Get detailed insights into traffic patterns, bot detection accuracy, and user behavior through the Google Cloud Console.
Instead of a simple pass/fail, Enterprise reCAPTCHA provides risk scores (0.0 to 1.0) that you can use to make nuanced decisions about user verification.
Define custom security policies, create allowlists/denylists, and configure automated actions based on risk scores.
Enterprise customers receive SLA guarantees and dedicated technical support from Google.

Configuration

To use Enterprise reCAPTCHA with react-google-recaptcha, set the enterprise option to true in the global recaptchaOptions before your component mounts: 
window.recaptchaOptions = {
  enterprise: true,
};
This option must be set before the react-google-recaptcha component is first rendered, typically in your application’s entry point or in a <script> tag in your HTML.

Complete Example

Here’s a complete example of using Enterprise reCAPTCHA: 
import React from "react";
import ReactDOM from "react-dom";
import ReCAPTCHA from "react-google-recaptcha";

// Configure Enterprise reCAPTCHA
window.recaptchaOptions = {
  enterprise: true,
};

function EnterpriseForm() {
  const recaptchaRef = React.useRef();
  const [loading, setLoading] = React.useState(false);

  const handleSubmit = async (e) => {
    e.preventDefault();
    setLoading(true);

    const token = recaptchaRef.current.getValue();
    
    if (!token) {
      alert("Please complete the reCAPTCHA");
      setLoading(false);
      return;
    }

    try {
      // Send token to your backend for verification
      const response = await fetch('/api/verify-enterprise', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({ 
          token,
          action: 'submit_form' // Optional: specify the action for analytics
        })
      });

      const data = await response.json();
      
      // Enterprise reCAPTCHA returns a risk score (0.0 - 1.0)
      // Lower scores indicate more likely to be a bot
      if (data.riskScore < 0.5) {
        alert("Suspicious activity detected. Please try again.");
        recaptchaRef.current.reset();
      } else {
        console.log("Form submitted successfully");
        // Process the form
      }
    } catch (error) {
      console.error("Error verifying reCAPTCHA:", error);
    } finally {
      setLoading(false);
    }
  };

  return (
    <form onSubmit={handleSubmit}>
      <input type="email" placeholder="Email" required />
      <input type="password" placeholder="Password" required />
      
      <ReCAPTCHA
        ref={recaptchaRef}
        sitekey="Your Enterprise site key"
        size="normal"
        theme="light"
      />
      
      <button type="submit" disabled={loading}>
        {loading ? "Submitting..." : "Submit"}
      </button>
    </form>
  );
}

ReactDOM.render(<EnterpriseForm />, document.getElementById('root'));

Backend Verification

With Enterprise reCAPTCHA, the backend verification is slightly different. You need to use the Enterprise API endpoint: 
// Node.js backend example
const { RecaptchaEnterpriseServiceClient } = require('@google-cloud/recaptcha-enterprise');

const client = new RecaptchaEnterpriseServiceClient();
const projectPath = client.projectPath(process.env.GOOGLE_CLOUD_PROJECT_ID);

async function verifyEnterpriseToken(token, action) {
  const request = {
    assessment: {
      event: {
        token: token,
        siteKey: process.env.RECAPTCHA_ENTERPRISE_KEY,
      },
    },
    parent: projectPath,
  };

  const [response] = await client.createAssessment(request);
  
  // Check if the token is valid
  if (!response.tokenProperties.valid) {
    console.log('Invalid token:', response.tokenProperties.invalidReason);
    return { success: false, riskScore: 0 };
  }

  // Check if the action matches (optional but recommended)
  if (response.tokenProperties.action !== action) {
    console.log('Action mismatch');
    return { success: false, riskScore: 0 };
  }

  // Return the risk score (0.0 - 1.0)
  // Higher scores indicate more likely to be legitimate
  return { 
    success: true, 
    riskScore: response.riskAnalysis.score 
  };
}
You’ll need to install the @google-cloud/recaptcha-enterprise package and set up Google Cloud authentication.

Using with recaptcha.net

You can combine Enterprise reCAPTCHA with the useRecaptchaNet option: 
window.recaptchaOptions = {
  enterprise: true,
  useRecaptchaNet: true,
};
This loads the Enterprise API from recaptcha.net instead of google.com:
  • https://recaptcha.net/recaptcha/enterprise.js

Script URLs

When you enable Enterprise mode, the library automatically loads the correct script: 
https://www.google.com/recaptcha/enterprise.js?onload=onloadcallback&render=explicit
You don’t need to manually manage these URLs - the library handles it automatically based on your window.recaptchaOptions configuration.

Risk Score Interpretation

Enterprise reCAPTCHA provides a risk score from 0.0 to 1.0:
  • 0.0 - 0.3: Very likely a bot - consider blocking or requiring additional verification
  • 0.3 - 0.7: Suspicious - may require additional checks or human review
  • 0.7 - 1.0: Likely legitimate - can proceed with normal flow
These are general guidelines. You should analyze your own traffic patterns and adjust thresholds based on your specific security requirements and user experience goals.

Best Practices

Use action names: Pass meaningful action names (e.g., “login”, “signup”, “purchase”) to help categorize and analyze events in the Google Cloud Console.
Monitor analytics: Regularly review the Enterprise reCAPTCHA dashboard in Google Cloud Console to understand traffic patterns and optimize your risk score thresholds.
Implement gradual challenges: Instead of blocking users with low scores outright, consider implementing progressive challenges (e.g., CAPTCHA, email verification, or rate limiting).
Don’t expose risk scores: Never send the actual risk score to the client - handle all risk assessment logic on your backend to prevent manipulation.

Troubleshooting

Make sure you’re using an Enterprise site key, not a standard reCAPTCHA v2 key. Enterprise keys are created in the Google Cloud Console, not the reCAPTCHA Admin Console.
Verify that window.recaptchaOptions is set before the component renders. If you’re using server-side rendering, ensure this configuration is included in your initial HTML.
Ensure you’ve:
  • Installed @google-cloud/recaptcha-enterprise
  • Set up Google Cloud authentication
  • Used the correct project ID and site key
  • Enabled the reCAPTCHA Enterprise API in your Google Cloud project

Additional Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us